Resolve Facebook security warnings when a user enables https

by Ajit Gaddam on June 8, 2011

Facebook has recently enabled a sitewide https secure login for its users. If you didn’t do so yet, you may want to enable secure login to your Facebook account. When a user who has https enabled and lands on your page or Facebook app, your page maybe generating security warnings about webpage content that was delivered.

The message is “Do you want to view only the webpage content that was delivered securely?

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage”

The reason for these security warning messages:

Cross domain content being pulled together to raise SSL warnings

If an FB app does not have the Secure Canvas URL set, the error message will be shown

Content coming from FB, host of the third party app and from the host where the content is

Past

Use Facebook tabs using FBML (Facebook Markup Language), derived from HTML and using FB approvied JS and AJAX commands

Do not want to run everything over SSL. Expensive from cost and performance perspective

Install an SSL cert on the webserver hosting the app files. Get the SSL cert or the Progressive signed cert – valid for the domain

Do not use a self signed certificate

Remove http references to content.

Add https references when its known https code. Example: using the jquery from googleapis.com ajax library

Same for any FB connect code over http

Actually best way is to use protocol relative URL. Start it with // – ensure content is loaded from the same protocol as the parent page. That way when someone does visit your content via http:// the content you are embedding doesn’t unnecessarily get encrypted.

Populate the Secure Tab URL field or Secure Canvas URL field in the app

Don’t need SSL certs for every client, but if you get a valid SSL for your domain and host all the content on them, can host multiple client’s iframe(s) content